Council fined £150,000 for data privacy breach

Basildon Council has recently been fined £150,000 by the Information Commissioner’s Office (“ICO”) following a breach of data protection which led to the online publication of a family’s sensitive personal data.

It has been reported that an inexperienced council officer did not notice that personal information about the family was contained within planning application documents which were then made publicly available online. The personal information included a statement containing highly sensitive personal data including medical information. It has been reported that Basildon Council is taking advice and will consider whether or not to appeal the ICO’s decision.

This incident again highlights how crucial it is that all organisations that handle information about individuals ensure that they have sufficient technical and procedural systems in-place to ensure that both personal and sensitive personal data is handled with great care and only ever processed in accordance with the law. If an organisation can demonstrate to the ICO that they operate an effective system to comply with the Data Protection Act 1998 and that appropriate technical and organisational measures were in-place at the time to try and prevent a breach, then the ICO may dispense with a financial penalty altogether. This case also demonstrates the importance of having effective policies and procedures in-place for appropriately dealing with a breach of data protection once it has been discovered. In the above case, the ICO reported in its decision that the breach was aggravated by the fact that, having discovered the breach, the council failed to notify the affected individuals and take sufficient remedial action.

It is important that both private companies and public bodies take appropriate steps to ensure compliance with data privacy laws. Many organisations – particularly small to medium size businesses – may struggle to pay a financial penalty of this size. At the moment, the ICO has the power to impose a financial penalty of up to £500,000 for a breach. In addition, organisations need to be mindful of the additional financial risk that comes with litigation. Aside from substantial financial penalties imposed by the ICO, organisations can then find themselves facing separate court action by a private individual (or a group of private individuals) for compensation. If an individual has suffered damage and/or distress due to an organisation breaching their rights under the Data Protection Act 1998, then the law entitles them to bring a claim for compensation against whoever is responsible for the breach. If the breach involves the publication of a person’s sensitive personal data, then an individual may be able to claim significant sums in damages. Aside from the damages, the costs involved in defending such legal action can also be very significant.

Finally, organisations that process personal data also need to be aware of the changes coming to this area of the law next year. The General Data Protection Regulation (“GDPR”) will come into force in May 2018 and will bring with it a much stricter regime and much greater financial penalties. Under the new regime, financial penalties will increase to 4% of an organisation’s global annual turnover for the preceding financial year or the equivalent of 20 million euros – whichever is greater. Read our blog for further information.

If you are an organisation seeking advice or assistance regarding compliance with data privacy laws or if you need help with an ICO investigation or in defending a damages claim that is being brought against you for a data breach, Stephensons can help you. Contact us now on 0175 321 6399.

Alternatively, if you are an individual who has been the victim of a data protection breach, we can help you to claim compensation. Read our blog for an example of assistance that Stephensons has provided to individuals who have been the victim of a serious data protection breach or contact us now on 0175 321 6399.